CSRF fixes

Kiril Kirkov · Kiril Kirkov · commit e3c4efb78585 · 2026-03-13T08:09:25.000+02:00
diff --git a/application/config/config.php b/application/config/config.php
@@ -26,7 +26,7 @@
  */
 
 // add your base url here into the ELSE statement - ''.
-$config['base_url'] = 'http://electronic-invoicing-and-warehouse-management-system.test';
+$config['base_url'] = defined('BASE_URL') ? BASE_URL : '';
 
 /*
   |--------------------------------------------------------------------------
@@ -475,7 +475,7 @@
 $config['csrf_token_name'] = 'csrf_test_name';
 $config['csrf_cookie_name'] = 'csrf_cookie_name';
 $config['csrf_expire'] = 7200;
-$config['csrf_regenerate'] = TRUE;
+$config['csrf_regenerate'] = FALSE;
 $config['csrf_exclude_uris'] = array();
 
 /*
diff --git a/application/modules/admin/views/parts/general/footer.php b/application/modules/admin/views/parts/general/footer.php
@@ -21,7 +21,8 @@ function injectCsrf() {
             }
         }
 
-        document.addEventListener('DOMContentLoaded', injectCsrf);
+        injectCsrf();
+
         document.addEventListener('submit', function(e) {
             var form = e.target;
             if (form.method && form.method.toLowerCase() === 'post' && !form.querySelector('input[name="' + csrfName + '"]')) {
diff --git a/application/modules/users/views/parts/footer.php b/application/modules/users/views/parts/footer.php
@@ -57,9 +57,10 @@ function injectCsrf() {
             }
         }
 
-        // Inject on page load (covers programmatic .submit() calls)
-        document.addEventListener('DOMContentLoaded', injectCsrf);
-        // Also inject on submit event as fallback for dynamically created forms
+        // DOM is already ready here (footer script) — call directly
+        injectCsrf();
+
+        // Fallback for dynamically added forms submitted via submit event
         document.addEventListener('submit', function(e) {
             var form = e.target;
             if (form.method && form.method.toLowerCase() === 'post' && !form.querySelector('input[name="' + csrfName + '"]')) {
diff --git a/application/views/parts/footer.php b/application/views/parts/footer.php
@@ -47,6 +47,8 @@ function injectCsrf() {
         }
 
         document.addEventListener('DOMContentLoaded', injectCsrf);
+        // DOM is already ready in footer - call directly too
+        injectCsrf();
         document.addEventListener('submit', function(e) {
             var form = e.target;
             if (form.method && form.method.toLowerCase() === 'post' && !form.querySelector('input[name="' + csrfName + '"]')) {

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,8 @@ function injectCsrf() {`
`21`	`21`	`}`
`22`	`22`	`}`
`23`	`23`
`24`		`- document.addEventListener('DOMContentLoaded', injectCsrf);`
	`24`	`+ injectCsrf();`
	`25`	`+`
`25`	`26`	`document.addEventListener('submit', function(e) {`
`26`	`27`	`var form = e.target;`
`27`	`28`	`if (form.method && form.method.toLowerCase() === 'post' && !form.querySelector('input[name="' + csrfName + '"]')) {`
Original file line number	Diff line number	Diff line change
`@@ -57,9 +57,10 @@ function injectCsrf() {`
`57`	`57`	`}`
`58`	`58`	`}`
`59`	`59`
`60`		`- // Inject on page load (covers programmatic .submit() calls)`
`61`		`- document.addEventListener('DOMContentLoaded', injectCsrf);`
`62`		`- // Also inject on submit event as fallback for dynamically created forms`
	`60`	`+ // DOM is already ready here (footer script) — call directly`
	`61`	`+ injectCsrf();`
	`62`	`+`
	`63`	`+ // Fallback for dynamically added forms submitted via submit event`
`63`	`64`	`document.addEventListener('submit', function(e) {`
`64`	`65`	`var form = e.target;`
`65`	`66`	`if (form.method && form.method.toLowerCase() === 'post' && !form.querySelector('input[name="' + csrfName + '"]')) {`
Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,8 @@ function injectCsrf() {`
`47`	`47`	`}`
`48`	`48`
`49`	`49`	`document.addEventListener('DOMContentLoaded', injectCsrf);`
	`50`	`+ // DOM is already ready in footer - call directly too`
	`51`	`+ injectCsrf();`
`50`	`52`	`document.addEventListener('submit', function(e) {`
`51`	`53`	`var form = e.target;`
`52`	`54`	`if (form.method && form.method.toLowerCase() === 'post' && !form.querySelector('input[name="' + csrfName + '"]')) {`